Essential Guide | Data Exchange Protocols in Pharma Serialization

An overview of how serialization data flows across pharma systems using HTTPS, SOAP, SFTP, and AS2 to ensure seamless track and trace. Explains why protocol selection directly affects EPCIS transfers, partner connectivity, and compliance.

Vaishnavi Puvvada

July 24, 2025

Table of Contents

Data exchange is the foundation of pharma serialization. Every time a system requests serial numbers, sends EPCIS events, communicates with packaging lines, or shares shipment data with partners, it relies on specific communication protocols such as HTTPS, SOAP, SFTP, and AS2. Each of them is designed for specific file sizes, security levels, and operational needs. Yet many serialization issues trace back to simple misunderstandings about how these protocols work. A clear grasp of data exchange fundamentals reduces exceptions, speeds up troubleshooting, and strengthens compliance.

Different Types of Protocols

1. HTTPS (HyperText Transfer Protocol Secure)

HTTPS is a secure version of HTTP that uses TLS encryption to safely exchange data between client and server. In serialization, it is widely used for transactional requests and lightweight data exchange.

How HTTPS Works in Serialization?

The L4 system sends a request to a whitelisted HTTPS endpoint.
The destination server validates the request using API keys, OAuth tokens, or client certificates.
Both sides establish a TLS handshake to encrypt the communication.
The server returns a synchronous response - meaning the client must wait until the server completes processing.

Technical Considerations

Technical Consideration	Details
Whitelisting	- HTTPS endpoints must often be whitelisted in plant networks and firewalls - Many pharma IT teams use outbound restrictions, so the Track & Trace software’s IP must be explicitly permitted
Timeouts	- Typical HTTPS timeouts range from 60–240 seconds - Large EPCIS shipments can exceed this, causing request failures - Increasing timeouts may violate corporate security policy or conflict with regulatory systems enforcing fixed limits
File Handling	- HTTPS is suitable for small files (typically <5 MB) - Larger files require streaming or chunking — which most legacy serialization systems do not support
Acknowledgment	- HTTPS uses synchronous responses such as `200 OK`, `201`,`400`, `500`, or vendor-specific status codes

‍

2. SOAP (Simple Object Access Protocol)

SOAP is an XML-based message protocol used by many legacy serialization and regulatory systems. It enforces strict schemas, making it popular where structure and validation accuracy are important.

How SOAP Works in Serialization?

Requests and responses are structured as SOAP envelopes containing XML payloads.
Validation is enforced using XSD schemas, ensuring messages adhere to exact formats.
Uses WS-Security:
- XML encryption
- Digital signatures
- Timestamp validation

Technical Considerations

Technical Consideration	Details
Whitelisting	- SOAP typically uses HTTPS transport, so endpoint IP ranges must be whitelisted - Certificates must match expected CN/SAN fields or requests are rejected
Timeouts	- SOAP servers often enforce stricter processing timeouts because XML parsing is heavy - Schema validation failures cause immediate SOAP Fault responses
File Handling	- SOAP is not ideal for file transfer - Attachments use MTOM or base64 encoding, which increases file size by 30–40%
Acknowledgment	- SOAP returns detailed Fault codes, providing clarity on validation vs system-level error

‍

3. SFTP (Secure File Transfer Protocol)

SFTP is a secure, file-based protocol running over SSH. It is ideal for large EPCIS files, batch events, and asynchronous data exchange.

How SFTP Works in Serialization?

The L4 system connects to a partner’s SFTP server using a username + SSH key pair.
Files are uploaded to a specific folder path (e.g., /incoming/epcis/shipments/).
The receiving system picks up the file asynchronously for processing.
Processed files are often moved to /archive or /error folders.

Technical Considerations

Technical Consideration	Details
Whitelisting	- SFTP requires opening port 22 outbound and whitelisting the partner IP - SSH fingerprints must be validated before establishing the first connection
Timeouts	- SFTP avoids synchronous timeouts completely because transfer is asynchronous - Timeouts only occur if the connection drops due to network instability or inactivity thresholds trigger
Blob Storage	- Large files (10–200 MB EPCIS shipments) are stored directly as blobs on the SFTP server - Ideal for event-rich scenarios such as aggregation or large shipment batches
Acknowledgment	Processing acknowledgment is provided via: • Auto-generated receipt files • Status folders (`/success`, `/error`) • Partner callbacks via API

‍

4. AS2 (Applicability Statement 2)

AS2 is a B2B communication standard widely used in the US and Indonesia supply chain requirements. It is designed for secure, reliable, file-based data exchange, especially large EPCIS shipment files.

How AS2 Works in Serialization?

Uses HTTPS + digital certificates to encrypt and sign messages.
Transmits files (usually EPCIS XML) as MIME payloads.
The receiver returns an MDN (Message Disposition Notification) to confirm delivery.
MDN acts as legal proof of transmission, critical for regulated supply chains.

Technical Considerations

Technical Consideration	Details
Whitelisting	- AS2 requires whitelisting HTTPS endpoints and ports - Certificates must be exchanged and configured correctly — mismatches lead to failures
Timeouts	- AS2 allows asynchronous MDNs, reducing synchronous timeout risk - Requires stable network and firewall rules for successful delivery
Blob Storage	- AS2 can handle very large files because processing is asynchronous - MIME packaging ensures data integrity throughout the transfer
Acknowledgment	MDNs provide: • Cryptographic proof of receipt • Error codes • Non-repudiation of origin and receipt

‍

Advantages & Limitations Overview

Protocol	Advantages	Limitations
HTTPS	- Fast, Real-time communication - Widely supported across industry - Flexible authentication mechanisms (OAuth tokens, JWT, Mutual TLS certificates) - Suitable for low-latency processes - Low operational overhead	- Not reliable for large EPCIS event files due to server timeout limits (commonly 2–4 minutes) - Even a 99% uploaded file must restart from zero if interrupted - Both sender and receiver must remain online for the full transaction
SOAP	- Strong schema enforcement (WS-Security, XML Signatures) - SOAP Faults provide detailed error messages that simplify troubleshooting - Supports digital signatures, timestamping, encryption — ideal for compliance-heavy integrations	- Heavy, verbose XML increases payload size - Schema changes require full revalidation and updates - Nested XML errors are difficult for non-technical users to interpret - Slower than HTTPS/REST due to XML parsing and signature validation
SFTP	- Handles very large EPCIS files efficiently - Resumable transfers if network drops occur - Works well with asynchronous processing - Simple folder-based design for easy monitoring, automation, and troubleshooting - Ideal for high-volume partners	- Not suitable for real-time API workflows - Requires SSH key management and firewall rules - Needs monitoring to prevent orphaned or partially uploaded files - No built-in delivery acknowledgment
AS2	- Supports signing, encryption, and non-repudiation - MDNs (Message Disposition Notifications) confirm delivery reliably - Reliable for large EPCIS payloads - Designed for secure B2B regulatory environments	- Complex to configure (certificates, MDN handling, endpoints) - Requires dedicated AS2 server infrastructure - Troubleshooting requires specialized expertise

‍

Considerations When Using HTTPS for Large File Transfers

HTTPS can support large file uploads when infrastructure, APIs, and server configurations are designed for long-running connections. However, in pharmaceutical serialization environments, partners may experience timeouts or failures because many L3/L4 systems, security gateways, and firewalls are not optimized for large, synchronous HTTPS transfers. These constraints are architectural, not protocol-specific, and vary widely across vendors.

Root Cause	Impact on Serialization Data Exchange
Strict timeout limits (60–240s)	Large EPCIS files may exceed processing time on some partner systems → leading to dropped connections or retries
Synchronous communication requirement	Both systems must stay connected during full upload + validation → tough for large payloads
No support for resumable uploads	If upload fails at 99%, it restarts from zero → high bandwidth waste + duplicate attempts
Heavy XML processing overhead	Large EPCIS XML files take a long time to parse and validate against CBV → higher timeout probability
Regulatory hubs enforce fixed timeouts	Some regulatory endpoints restrict timeout adjustments → making very large HTTPS uploads less practical depending on configuration
HTTPS is optimized for APIs, not bulk transfer	Best suited for small transactional payloads; not for large EPCIS event files

‍

Data Exchange Protocols: Quick Selection Matrix

Activity / Use Case	Recommended Protocol(s)	Why This Protocol Works Best
Serial number requests (L4 → L3)	HTTPS, SOAP	Real-time, low-latency transactional messages.
Commissioning / decommissioning events	HTTPS, SOAP	Structured, synchronous event updates.
EPCIS exchange < 5 MB	HTTPS	Fast upload; low overhead; works for small event sets.
EPCIS exchange 5–50 MB (typical shipments)	SFTP, AS2	Avoid HTTPS timeouts; reliable for large event files.
EPCIS > 50 MB (large aggregations)	SFTP, AS2	Handles heavy payloads; resumable transfers via SFTP; MDN validation via AS2.
Regulatory submissions	SOAP, HTTPS	Depends on country: EU Hub uses SOAP; some accept HTTPS.
B2B supply chain partner exchange	AS2, SFTP	Required for DSCSA; ensures encryption, signing, non-repudiation.
Bulk data dumps from packaging lines	SFTP	Asynchronous, stable for nightly batch uploads.
Internal enterprise integrations	HTTPS / SFTP	Depends on whether API calls or bulk files are exchanged.

‍

Conclusion

Data exchange is the plumbing of pharma serialization. Every serial number request, every EPCIS shipment, and every regulatory submission depends on the right protocol being used for the right job. HTTPS brings speed, SOAP brings structure, SFTP brings reliability for large files, and AS2 brings secure B2B delivery with proof of receipt. Understanding these protocols, their limitations, and where they fit ensures fewer exceptions, smoother partner integrations, and more resilient Track & Trace operations. For anyone working across L3, L4, supply chain, or regulatory environments, this knowledge isn’t optional, it’s foundational.

Simplify Traceability and Regulatory Compliance with AI

Book a Demo

Get instant access to the article now!

Thank you! You can download the file!

Download

Oops! Something went wrong while submitting the form.

FAQS

Frequently asked questions

Got Questions? We’ve Got You Covered.

Why do pharma serialization data exchange protocols cause the majority of EPCIS errors?

Pharma serialization data exchange protocols such as misconfigured endpoints, timeouts, incorrect file handling, and protocol mismatches cause 70 to 80% of EPCIS errors and exceptions. Even if the serialization data is usually correct, the exception occurs in how it is transmitted between systems, not in what it contains.

Why can't pharma serialization data exchange use HTTPS for all EPCIS submissions?

HTTPS is appropriate for small, time-sensitive pharma serialization EPCIS submissions, generally under 5 MB. Large event files, such as batch commissioning reports, exceed HTTPS endpoint processing windows and trigger timeouts. Substantial serialization data volumes require SFTP or AS2 to transfer reliably.

When should pharma serialization data exchange protocols use SFTP versus AS2?

Use SFTP for large, asynchronous pharma serialization data transfers when trading partners do not require formal delivery receipts. Use AS2 when the exchange requires encryption, digital signatures, and proof of receipt (common in US DSCSA) and partners with formal data governance or non-repudiation requirements.

What is the safe HTTPS file size limit for pharma serialization EPCIS data submissions?

The safe HTTPS file size limit for pharma serialization EPCIS submissions is generally under 5 MB for EPCIS XML, depending on endpoint configuration and timeout settings. Payloads above this threshold risk timeout failures and should be routed through SFTP or AS2 by default.

Does SFTP encryption meet pharma serialization data security and compliance requirements?

SFTP encrypts pharma serialization data in transit through SSH, meeting baseline regulated-industry data security requirements. However, SFTP does not provide formal delivery receipts or non-repudiation - capabilities required for specific markets where proof of receipt is mandated alongside encryption.

Meanwhile, read our top resources

Track & Trace

Heading

Essential Guide | Data Exchange Protocols in Pharma Serialization

Different Types of Protocols